Network ======= Firewalls --------- Office firewall ~~~~~~~~~~~~~~~ We're using an UniFi Security Gateway in our office infrastructure. This means you can configure the firewall rules via the `UniFi controller `_. Datacenter firewalls ~~~~~~~~~~~~~~~~~~~~ There's no dedicated / central firewall for the servers in the datacenter. Each server will have several ``iptables`` rules in place. Please have a look at the Ansible ``firewall`` rule for more informations. VPN connectivity ---------------- We've remote user VPN's configured on the `UniFi controller`_. Please use the following settings to connect to our VPN: +-----------+------------------------------------------------------------------------------+ | Type | L2TP over IPSec | +===========+==============================================================================+ | Server | ``vpn.confirm.ch`` | +-----------+------------------------------------------------------------------------------+ | IPSec PSK | Stored in the :ref:`Enpass ` | +-----------+------------------------------------------------------------------------------+ | Account | Defined in the UniFi controller under *Settings > Services > RADIUS > Users* | +-----------+------------------------------------------------------------------------------+ .. important:: If you're using OS X then you should have a look at the service order of the interfaces, because the DNS resolver depends on it. You might want to lookup an internal hostname to check if everything works properly. Domains ------- We've several managed domains on our DNS severs. These are our main domains: +---------------+---------------------+-----------+ | Domain | Usage | Registrar | +===============+=====================+===========+ | confirm.ch | Main DNS zone | Metanet | +---------------+---------------------+-----------+ | confirm.swiss | Main swiss DNS zone | Metanet | +---------------+---------------------+-----------+ | confirm.ninja | Main ninja DNS zone | Namecheap | +---------------+---------------------+-----------+ Project domains: +--------------------+---------------------------------+-----------+ | Domain | Project | Registrar | +====================+=================================+===========+ | freaks.io | FreaksIO | Namecheap | +--------------------+---------------------------------+-----------+ | pkg.ninja | PackageNinja | Namecheap | +--------------------+---------------------------------+-----------+ Personal domains: +------------------+--------------------------------------+-----------+ | Domain | Usage | Registrar | +==================+======================================+===========+ | barton-online.ch | Domi's DNS zone (for mail) | Metanet | +------------------+--------------------------------------+-----------+ | thebartons.ch | Domi's DNS zone | Metanet | +------------------+--------------------------------------+-----------+ Main DNS zones -------------- As mentioned before, `confirm.ch` is our main DNS zone and we use it for all of our DNS records. +----------------+-----------------------------------------------------------------+ | Zone | Description | +================+=================================================================+ | confirm.ch | Main DNS zone, contains CNAME's to records in the server zones. | +----------------+-----------------------------------------------------------------+ | pvt.confirm.ch | Contains IP records of all private server addresses. | +----------------+-----------------------------------------------------------------+ | pub.confirm.ch | Contains IP records of all public server addresses. | +----------------+-----------------------------------------------------------------+ Private IP subnets ------------------ The private subnet design scheme is as follows: .. code:: 10.U.LL.XXX ^ ^ ^ | | | | | +-- 254 available IP's in each subnet | +----- Location (e.g. 0=Office, 1=Datacenter) +-------- Usage (e.g. 1=Client, 2=Server) Client subnets ~~~~~~~~~~~~~~ All client subnets are in ``10.1.0.0/16`` within the VLAN's ``1`` (i.e. native VLAN). +---------------+------+----------+-----------------+ | Subnet | VLAN | Location | Description | +===============+======+==========+=================+ | 10.1.0.0/24 | 1 | Office | Client VLAN | +---------------+------+----------+-----------------+ | 10.1.10.0/24 | | Domi | Domi's subnet | +---------------+------+----------+-----------------+ | 10.1.254.0/24 | | | VPN clients | +---------------+------+----------+-----------------+ Server Subnets ~~~~~~~~~~~~~~ All server subnets are in ``10.2.0.0/16`` within the VLAN's ``2``. +-------------+------+------------+--------------------+ | Subnet | VLAN | Location | Description | +=============+======+============+====================+ | 10.2.0.0/24 | 2 | Office | Server VLAN | +-------------+------+------------+--------------------+ | 10.2.1.0/24 | | Datacenter | Datacenter servers | +-------------+------+------------+--------------------+ Other subnets ~~~~~~~~~~~~~ +---------------+------+-------------------+--------------------------------------------+ | Subnet | VLAN | Location | Description | +===============+======+===================+============================================+ | 10.3.0.0/24 | 3 | Lab | Lab In A Box | +---------------+------+-------------------+--------------------------------------------+ | 10.4.0.0/24 | 4 | Streaming | Streaming equipment, e.g. PTZ cameras | +---------------+------+-------------------+--------------------------------------------+ | 10.8.0.0/24 | | | *free, e.g. for local VM & Docker subnets* | +---------------+------+-------------------+--------------------------------------------+ | 10.9.0.0/24 | 9 | Office | Guest VLAN | +---------------+------+-------------------+--------------------------------------------+ | 217.71.252.24 | 99 | Office / *Public* | :ref:`Public office IP subnet` | +---------------+------+-------------------+--------------------------------------------+ Public office IP subnet ----------------------- ISP ~~~ The internet in the office is provided by `iWay `_. - Our connectivity speed is ``1000``/``1000`` - Our customer number is ``373676`` - The OTO ID (*number of the fibre connector*) is ``B.102.027.151.5[.1]`` - For support have a look at the `iWay customer portal `_ and the `iWay support site `_ .. hint:: DNS PTR records can be changed via `iWay customer portal `_ (*Products > Edit > Reverse DNS*). Routed subnet ~~~~~~~~~~~~~ .. important:: Because we've a routed subnet, the gateway WAN port is configured with DHCP and assigns an IP address outside of this subnet: ``84.254.96.223`` *aka* ``gw1.pub.confirm.ch`` All **inbound local WAN traffic** and all **outbound LAN traffic** is routed via this IP address. Thus VPN connectivity and such relies on this IP address. - Routed subnet: ``217.71.252.24/29`` - Configured on VLAN ID: ``99`` +------------------+--------------------+-------------------------+ | IPv4 address | Usage | DNS | +==================+====================+=========================+ | 217.71.252.24/29 | *n/a: network ID* | +------------------+--------------------+-------------------------+ | 217.71.252.25/29 | Gateway | | +------------------+--------------------+-------------------------+ | 217.71.252.26/29 | Proxmox | proxmox1.pub.confirm.ch | +------------------+--------------------+-------------------------+ | 217.71.252.27/29 | Nameserver | ns2.pub.confirm.ch | +------------------+--------------------+-------------------------+ | 217.71.252.28/29 | Web Server | web4.pub.confirm.ch | +------------------+--------------------+-------------------------+ | 217.71.252.29/29 | FreaksIO | freaks.io | +------------------+--------------------+-------------------------+ | 217.71.252.30/29 | Development Server | dev1.pub.confirm.ch | +------------------+--------------------+-------------------------+ | 217.71.252.31/29 | *n/a: broadcast* | +------------------+--------------------+-------------------------+ Public datacenter IP addresses ------------------------------ +------------------+---------------------------+--------------------------------+------------------------------+ | IPv4 address | IPv6 address | Usage | DNS | +==================+===========================+================================+==============================+ | 80.74.129.106/24 | 2A00:1128:1:1::129:106/64 | Proxmox Server | proxmox2.pub.confirm.ch | +------------------+---------------------------+--------------------------------+------------------------------+ | 80.74.129.107/24 | 2A00:1128:1:1::129:107/64 | Proxmox Management Interface | proxmox2-mgmt.pub.confirm.ch | +------------------+---------------------------+--------------------------------+------------------------------+ | 80.74.137.78/24 | 2A00:1128:1:1::137:78/64 | Mail Server | mail1.pub.confirm.ch | +------------------+---------------------------+--------------------------------+------------------------------+ | 80.74.137.80/24 | 2A00:1128:1:1::137:80/64 | Web Server (Public Services) | web1.pub.confirm.ch | +------------------+---------------------------+--------------------------------+------------------------------+ | 80.74.137.143/24 | 2A00:1128:1:1::137:143/64 | Web Server (Private Services) | web2.pub.confirm.ch | +------------------+---------------------------+--------------------------------+------------------------------+ | 80.74.137.154/24 | 2A00:1128:1:1::137:154/64 | Web Server (Customer Services) | web3.pub.confirm.ch | +------------------+---------------------------+--------------------------------+------------------------------+ | 80.74.137.161/24 | 2A00:1128:1:1::137:161/64 | Gateway | gw2.pub.confirm.ch | +------------------+---------------------------+--------------------------------+------------------------------+ | 94.126.18.242/24 | 2A00:1128:1:1::18:242/64 | Name Server | ns1.pub.confirm.ch | +------------------+---------------------------+--------------------------------+------------------------------+ | 94.126.19.225/24 | 2A00:1128:1:1::19:225/64 | GitLab Server | git1.pub.confirm.ch | +------------------+---------------------------+--------------------------------+------------------------------+ | 94.126.19.226/24 | 2A00:1128:1:1::19:226/64 | Thaddeus | zambellis.ch | +------------------+---------------------------+--------------------------------+------------------------------+ | 94.126.23.165/24 | 2A00:1128:1:1::23:165/64 | | | +------------------+---------------------------+--------------------------------+------------------------------+ | 94.126.23.166/24 | 2A00:1128:1:1::23:166/64 | Calendar Server | calendar1.pub.confirm.ch | +------------------+---------------------------+--------------------------------+------------------------------+ .. hint:: - The IPv4 gateways are always on ``.1`` - The IPv6 gateway is always ``fe80::1``